Part I: How online crooks put us all at risk

INERNET FRAUD EPIDEMIC COSTING BILLIONS OF DOLLARS

The silhouette of Paul Moriarty, left, and Paul "Fergie" Ferguson is cast on a screen at Trend Micro's Cupertino office. Moriarty is now an independent
security researcher; Ferguson is network architect at Trend Micro.

Somewhere in St. Petersburg, Russia's second city, a tiny start-up has struck Internet gold. Its dozen-odd employees are barely old enough to recall the demise of the Soviet Union, but industry analysts believe they're raking in well over $100 million a year from the world's largest banks, including Wells Fargo and Washington Mutual.

Their two-year rise might be the greatest success story of the former Eastern Bloc's high-tech boom - if only it weren't so illegal. But the cash may be coming from your bank account, and they could be using the computer in your den to commit their crimes.

The enigmatic company, which the security community has dubbed "Rock Phish," has rapidly grown into a giant of the Internet underground by perfecting a common form of Internet crime known as "phishing.

Special Report: Ghosts in the Browser

Part I: Cybercrime: How a group of high-tech entrepreneurs has turned the Internet into a tool for massive fraud.

Part II: Businesses, governments, and citizens fail to take precautions, allowing cybercrooks to thrive..

Part III: The U.S. government isn't devoting the resources needed to combat Internet crime.

" The thieves capture people's personal computers, then use them to send phony e-mails that trick other users into revealing private financial information.

"Rock is the standard. They're the Microsoft. Everyone else is a bit player," said Jose Nazario, a researcher at security company Arbor Networks.

As big as Rock Phish has become, though, it is a sliver of a much larger problem.

During the past few years, a professional class bent on stealthy online fraud has transformed Internet crime, rendering obsolete the hobbyist hackers who sought fun and fame. These Al Capones of the information age are like ghosts in our Web browsers, silently taking over our computers, stealing digital bits, and turning our data into cash.

Advertisement

They've created a sophisticated, cyberspace shadow economy, which government and research firms estimate costs us tens of billions of dollars annually. The crimes themselves, and their staggering effect on our wallets, are disturbing. Yet the greater concern is the failure of corporate executives, government leaders and average citizens to comprehend the mounting threat and fight back.

"People talk about a 'Digital Pearl Harbor,' but that's already happened," said Rick Wesson, chief executive of Support Intelligence, one of many Silicon Valley companies battling these cybercriminals. "It's just that people don't understand it has happened."

Organized online crime didn't appear out of nowhere - security experts have been tracking its growth for years - but by almost every measure, it's exploding: The number of new pieces of malicious software, or malware, tripled in the first half of this year vs. the previous six months, according to Cupertino computer security company Symantec. And the number of phishing Web sites spotted in the first three months of 2007 by Santa Clara security software maker McAfee skyrocketed 784 percent compared with the year before.

These attacks cost real people real money - individual Americans lost at least $200 million last year to online fraud - and that's just the people who took the time to report their misfortune to the FBI's Internet Crime Complaint Center.

Want to know more?

How you can protect yourself from online crime at the Federal Trade Commission's OnGuardOnline

Cybersecurity advice from technology companies at the National Cyber Security Alliance's StaySafeOnline

If you think you've been a victim of an online crime, report it to the Internet Crime Complaint Center, operated by the FBI and the National White Collar Crime Center

Those 200,000 cyberfraud victims said they were swindled out of an average of $724 - an amount small enough to discourage individual reporting, and to help keep Rock Phish relatively hidden.

Businesses are hit even harder: Average annual losses from security incidents doubled to $345,000 per company in the 2007 Computer Security Institute survey. A 2006 FBI estimate pegged the total cost of cybercrime to businesses above $67 billion.

Security vendors, research firms and law enforcement all have an incentive to inflate the numbers when it might mean increasing sales, visibility or funding. At the other extreme, businesses like banks are motivated to play down the problem. Yet the general trend is clear to almost everyone who has studied Internet security: Cybercrime is pervasive, and getting worse.

"The volume in absolute numbers is going through the roof," said Mark Harris, global director of SophosLabs, the research unit of British security vendor Sophos. "We've simply stopped counting."

Art of phishing: Cunning mixed with know-how

The Internet has handed post-modern swindlers an endless supply of marks, and cheap tools to attack millions with a single click.

In phishing, one of the most successful scams, people are tricked into revealing their passwords and other account information by phony e-mails that purport to come from banks. Cybercriminals then use that information to pilfer money. The first such schemes hit America Online members a decade ago. The attacks then spread to e-mail, targeting eBay and banks. Before long, Americans were getting phished by the thousands.

Rock Phish has raised phishing to an art. What the group lacks in technical wizardry, it makes up for with cunning, to bait even wary computer users and avoid detection in the process:

• The e-mails look professional, in part, because even the early campaigns were sent in perfect English. In the past year or so, Rock Phish has expanded its target audience by conducting campaigns in French, German and even Dutch.

• Rock Phish was one of the first to fool anti-spam programs by hiding the phish inside an image, instead of typing it in as text.

• Rock Phish wrote software that created a series of Web sites with slightly altered names, avoiding detection by spam-blockers on the lookout for one single link showing up repeatedly in e-mails.

The scale of the operation is enormous: Rock Phish is responsible for as many as half of all phishing sites worldwide, according to a University of Cambridge study. More people see Rock Phish messages, click on their links, and give up valuable banking information than in any other phishing campaign. If frauds are measured by their number of victims, Rock Phish is one of the most successful in history.

Malware: Hidden code opens door to private data

Rock Phish, of course, is only one of a highly successful new breed of cybercriminals. Other organizations have developed completely different schemes with the same goal: Steal cash from unsuspecting Internet users.

Some people are lured to visiting Web pages containing malware, either by inadvertently visiting infected sites or by clicking on an e-mailed link. There, a pixel-size frame, invisible to the user, stealthily installs code onto the computers of visitors lacking the latest Web browser security updates. Most users have no idea such a "drive-by download" has taken place, even as these Trojan horses surreptitiously log their banking passwords or other private information.

Criminals are increasingly hiding this malware within apparently safe sites. Last year, Circuit City acknowledged that its customer-support site had been hacked and was serving up dangerous code, allowing hackers to take control of visitors' PCs.

In an April research paper called "The Ghost In The Browser," a Google security team led by Niels Provos described a digital hunt through billions of Web pages searching for malicious sites. Using a process Provos calls "conservative," the team identified more than 450,000 Web pages that included malicious code, and 700,000 that "seemed" dangerous. Google says the numbers are now much larger.

Even the least technical crooks can launch phishing campaigns or control a network of millions of hacked computers at the touch of a button, by purchasing do-it-yourself cybercrime kits.

For about $1,000 on underground sites, you can buy MPack, a full-service malware attack and distribution kit, which lets you host a Web page that infects any user who visits. Owners can even monitor the number, type and location of infections from MPack's handy console page.

Criminal groups: Elusive, 'run as a well-oiled machine'

Despite intense scrutiny, security experts are still struggling to understand much about these criminal organizations and the scams they carry out.

Take, for example, the giant Rock Phish. Some researchers believe many attacks attributed to the group are actually launched by copycats who have purchased a Rock Phish kit. Experts who've tracked the group for years toss out conflicting names of its suspected kingpins and lieutenants, none of whom has been apprehended.

"They're incredibly elusive, and a bunch of theories are going on about them - many are well-informed, many aren't," said Arbor Networks' Nazario, who compares Rock Phish to Keyser Soze, the master criminal of "The Usual Suspects" who authorities futilely pursued even as they doubted his very existence.

This much seems known:

Rock Phish takes advantage of a division of labor that didn't exist among hacker groups even a few years ago.

"It's got to run as a well-oiled machine to do what they do," with one member planning attacks while others schedule the work or oversee operations, said Arjen de Landgraaf, who has spent two years investigating Rock Phish on behalf of his New Zealand security consulting firm, E-Secure-IT.

Rock Phish's e-mail campaigns - like much of the underground online economy - rely heavily on botnets, short for "robot networks," to confuse victims and evade cybercops. Each botnet is an army of zombie PCs, some in corporations, some in your neighbors' living rooms, under remote control of Internet crooks, launching new rounds of malicious attacks.

Security researchers say Rock Phish was among the first criminal groups to employ a twist on the botnet system called a fast-flux network. In essence, it's a technological shell game that makes it harder to track malicious Web traffic to its source. It takes, on average, twice as long for Web hosts to locate and shut down the group's fast-flux phishing sites, compared with its already long-lasting traditional sites.

Armed with information from computer users who respond to the group's phishing scams, Rock Phish logs into their online bank accounts.

Rock Phish then transfers money from victims' accounts to the accounts of money mules. These unsuspecting assistants have been hired by phony Rock Phish companies that sport innocuous names.

The assistants get e-mail notices that money has been deposited in their personal bank accounts. They are instructed to withdraw the cash and wire the money, less a commission, back to their employers - who are supposedly international consulting firms.

Mules like these are often the only people arrested in cybercrime cases that follow the money leaking out of victims' bank accounts.

Despite the huge aggregate revenues flowing into the coffers of Rock Phish, it survives at least partly because its founders aren't too greedy. Like many of the most successful cyberschemes, the group spaces out its attacks, launching campaigns against a bank for several days, then moving on to another institution.

Cybercrime crisis: Few can grasp complex reality

Dave DeWalt stood beneath the massive mounted television screen in April, staring at thousands of dots as they flickered across the continents of a digital world map. Each represented a real-time cyberspace attack: green for dozens of spam e-mails spewed out in the past six hours, amber for hundreds and red for more than 500 sent.

DeWalt was inside a corporate laboratory in Aylesbury, England, roughly 5,000 miles from the headquarters of McAfee, which he had recently joined as chief executive. McAfee researchers had narrowed down to a one-mile radius the locations of computers hurling out e-mails to swindle, scam or make life miserable for Internet users.

Dots appeared inside university dorms, popped up across the Middle East, swarmed through Eastern Europe. In more than 20 years in the tech industry, DeWalt had never seen anything like it. He began to understand something few Americans - even at the highest levels of government, business and academia - are able to grasp: the complex reality of the omnipresent cybercrime crisis, spreading worldwide, from Silicon Valley to Southeast Asia.

"I came into McAfee not knowing what was going to hit me," DeWalt said. "It's becoming an epidemic."

This plague of online crime isn't just chaotic wrongdoing on a mass scale - it has coalesced into an interconnected industry that runs the gamut from virus writing to money laundering. Seemingly separate attacks like spam, phishing scams, viruses and Trojans, botnets, and data breaches are the ugly hydra heads of a single, complex beast that functions much like a legitimate market.

An organized crime syndicate might buy a trove of e-mail addresses culled from a data breach; spam out e-mails with a Trojan attached; absorb recipients' computers into a botnet that it rents out to a phishing group, which sends its own e-mails purporting to be from a major bank, asking users to log onto sites hosted on a different botnet; and then the phishers steal money from those accounts and launder them through mules, with everyone taking a cut of the proceeds.

Not even Rock Phish stands alone - evidence points to links between these phishers and the Russian Business Network, an Internet service provider that plays host to several cybercriminals, according to anti-cybercrime detectives at VeriSign iDefense as well as other researchers.

The online crooks are constantly bartering, buying and renting from one another, just as Microsoft and Google rely on other tech companies for the products and services that keep their corporations functioning.

This underground economy's most valuable goods are easily visible - if you know where to look. Inside Internet chat rooms like #ccpower, for example, thieves offer up thousands of credit card numbers, banking accounts and private citizens' personal information, bundled together like mortgage securities. When the message boards begin to light up around midnight Silicon Valley time, a new set is on offer once every few seconds - perhaps 50 cents per credit card number, or $20 for a brand new identity, complete with Social Security number. Inside the forums, thieves can use computer commands like !BANK and !cclimit to find out which bank a stolen account number is from, or the limit on a credit card.

"I can't believe the availability - the quantity, the number," said Gus Dimetrelos, a retired U.S. Secret Service cybercop and security consultant in Alabama. "Who'd have thought you could buy login information to somebody's account that's sitting at home watching her kids, and all the sudden you're shipping her information overseas?"

Tech arms race: Decks stacked in criminals' favor

Cybercriminals are doing everything they can to evade detection by law enforcement in Europe and the United States, from registering domain names with fake or stolen identities and credit cards to bouncing e-mails through botnets on several continents. The most sophisticated groups go "jurisdiction shopping," shifting their Web traffic to tiny countries and obscure island nations, where cybercops are scant or where the United States has few contacts to aid in investigation or extradition.

While cybercriminals do operate out of the United States and other rich countries, many security experts believe the combination of people with 21st-century skills, living in 19th-century economies, is a recipe for disaster.

Russia is the most oft-cited example of this phenomenon; even as its economy grows, some engineers with "good" jobs hack on the side, according to iDefense.

Much like Chicagoans and Capone, the Russians view their hackers with both disdain and grudging pride. On one cover of a prominent Russian hacker magazine, coders are surrounded by scantily clad women, and sport the bling-bling fashion accouterments of American hip-hop artists.

A sort of technical arms race has developed between the cybercriminals and security professionals: When the security vendors found a way to shield customers from text-based phishing, the criminals launched image spam; when anti-spam companies blocked e-mail malware hidden in PDF files, scammers began embedding it in Excel spreadsheets.

These innovations keep the deck stacked in favor of the cybercriminals, at least for now.

Several security researchers say U.S. and foreign law enforcement agencies are trying to capture Rock Phish, though the FBI will not comment. But even if they succeed, it may not matter.

"As long as it's easy to make money, you may take out one organization, but you're just creating a business opportunity for other criminals," said Paul Moriarty, an independent security researcher in Silicon Valley.